Product Information Manager (PIM)

Roundy’s Supermarkets, Inc.

PICK ‘N SAVE  COPPS  RAINBOW FOODS

Product Information Manager (PIM)

Policies and Procedures

Effective Date: August 1, 2006

1.0Product Information Manager Policy

Product Information Manager (“PIM”) is a communications portal designed to improve supply chain effectiveness between Roundy’s Supermarkets, Inc (“Roundy’s)and its manufacturer and broker partners (“Vendors”). Initially, Roundy’s will require Vendors to submit new items through this portal as well as any updates to item information, excluding cost and deal. In subsequent phases, Roundy’s will require Vendors to submit cost and deal changes through the portal. The end result is the full elimination of Microsoft Excel spreadsheets currently in use today. This policy document includes PIM policy definition and incorporation of Roundy’s Information Systems Security Standards policy.

1.1Scope

This document applies to all vendors, manufacturers, and brokers of product supplied to Roundy’s. Products supplied include, but are not limited to, consumer packaged goods, ingredients, supplies, shippers, display sets, and retail product set fixtures.

1.2PIM Policy Violations

Violation of the Roundy’s PIM Policies and Procedures document and/or the Product Information Manager Access License Agreement will result in action up to immediate access revocation from PIM.

1.3Roles and Responsibilities

1.3.1Roundy’s Category Manager

The Category Manager (“CM”) is a Roundy’s employee that manages the relationship between Roundy’s and Vendor. The CM is responsible for Vendor access to PIM.

1.3.2Vendor Security Administrator – Primary & Secondary

The primary and secondary Vendor Security Administrator (“VSA”) shall be responsible for managing the authorization of other Vendor employees that may have access to the Product Information Manager (all employees of Vendor given authorization to access the Production Information Manager hereafter referred to as “Users” or individually as a “User”). It is recommended that the primary and secondary VSA are a function of the Vendor’s security or Information Technology departments.

1.3.3Vendor Executive Management

This user, employed by or representing the vendor, manufacturer or broker, accepts responsibility for the Roundy’s Product Information Manager License Agreement document. This person provides an indication of their understanding of Roundy’s policies and standards. This person also accepts the responsibility of adhering to the agreement by enforcing these policies and standards at the vendor, manufacturer, or broker.

1.4Communications Portal Access Requirements

1.4.1Equipment and Internet Access

All equipment and Internet access necessary for Vendor and the Users to access the PIM (“Equipment”) shall be provided by Vendor. Roundy’s shall have no obligation regarding selection, acquisition, maintenance or use of the Equipment.

1.4.2Web Browser Recommendation

Microsoft Internet Explorer version 6 or higher is recommended for use with PIM.

1.5User Security

The following user security requirements represent the minimum security requirements imposed by Roundy’s on Vendor.

1.5.1User Credentials

1.5.1.1Composition of User IDs

User IDs will consist of a minimum of six characters, with no maximum other than system-imposed limits.

1.5.1.2Approval of User ID Request

VSA approval is required before new credentials can be issued.

1.5.1.3User Credential Expiration

User credentials for employees are valid for the term of their employment. The credentials of temporary and contract employees and consultants will be set to expire on the date of the last day of their contracted project.

1.5.1.4System Account Suspension for Failed Login Attempts

Users’ accounts will be locked after three successive login failures. Users will not be able to login until their identity has been verified and their account has been unlocked by an authorized security administrator.

1.5.1.5Shared User Credentials

The use of shared user credentials is prohibited.

1.5.1.6Re-use of User Credentials

The re-use of previously assigned user credentials is not permitted unless a complete audit trail is maintained for reused credentials.

1.5.2Password Use and Protection

1.5.2.1Password Requirement

Passwords are required as a security mechanism to authenticate a user’s identity before granting access to Roundy’s Information Systems.

1.5.2.2Password Confidentiality

Users must protect the secrecy of personal passwords by never disclosing or sharing them with anyone and by changing them when required by policy or whenever there is a suspicion that the secrecy of a password has been compromised.

1.5.2.3Responsibility

The User is responsible for all actions taken by any party using that authorized user’s credentials.

1.5.2.4Password Composition

• Use a minimum of seven characters
• Passwords are case sensitive.
• It is suggested that the user mix uppercase and lowercase letters, numbers (digits), punctuation marks and special keyboard characters. Special keyboard characters consist of the following:

~ @ # $ % ^ & * _ = + [ ] { } \ | / < >

1.5.2.5Expiration

Passwords must be set to expire after a maximum of 12 weeks (84 days). Passwords used to grant privileged access will be set to expire after a maximum of 6 weeks (42 days).

1.5.2.6Password Re-use

Expired passwords must not be re-used for at least 20 iterations.

1.5.2.7New and Reset Passwords

• Passwords will be issued by a Roundy’s security administrator or system software.
• New passwords issued are valid only for the user’s first on-line session. The user must create a new password after authentication and before performing any other tasks.
• User password resets will be performed only when requested by the user to whom the User ID is assigned, after verification of that user’s identity.
• Communication of new and reset passwords must be done in a secure manner.
• If email is used, reference to the User ID and password must be sent in separate emails.

1.5.2.8Compromised Access

The User will immediately notify their VSA in the event of a compromise or suspected compromise of a User ID or password. The VSA will immediately notify Roundy’s in the event of a compromise or a suspected compromise of a User ID or password.

1.5.2.9Access Limitations

No user will initiate any actions to circumvent any security controls and will not intentionally perform malicious activities which could impact Roundy’s Information Systems (i.e. denial of service attach, virus attack, etc.)

1.5.3Anti-Virus Software

All computers used to access the PIM system will have up-to-date anti-virus software (such as McAfee, Norton, etc.) installed and enabled.

1.5.4User Access Validation

The VSA will be responsible for validating user access at least annually. This validation will include, at minimum, a full review of all users present in the PIM application with access to data shared between Roundy’s and Vendor.

1.5.5Revocation of User Access

Roundy’s reserves the right to revoke user access with or without advanced notification.

1.6Product Information Manager Policy Changes

1.6.1Roundy’s reserves the right to modify the policies and guidelines set within this policy.

1.6.2Roundy’s will provide advanced notification of policy changes to all vendors, manufacturers, and brokers.

.

Roundy’s Supermarkets, Inc– PIM – Vendor AgreementPage 1 of 5